On 2019-02-20 19:36:28 +0100 (+0100), Sylvain Bauza wrote:
[...]
> The last item is interesting, because the OIP draft at the moment
> shows more technical requirements than the Foundation ones. For
> example, VMT is - at the moment I'm writing those lines - quoted
> as a common best practice, which is something we don't ask for our
> projects. That's actually a good food for thoughts : security is
> crucial and shouldn't be just a tag [3]. OpenStack is mature and
> it's our responsibility to care about CVEs.
[...]
Leaving aside the assertion that "caring about CVEs" is the same
thing as caring about security, it's worth mentioning that the
centralized OpenStack VMT doesn't (and can't) easily scale. It
publishes a set of guidelines, process documents and templates which
any team can follow to achieve similar results, but the governance
tag we have right now serves mostly to set the scope of the
centralized VMT (and in turn expresses some fairly strict criteria
for expanding that scope to indicate direct oversight of more
deliverables).
Yup and I know that :-(
When I said the above, I was about saying that all the projects should have at least one liaison (at least the PTL) and a way to have some security discussions if needed.
I'm open to suggestions for how the OpenStack TC can better promote
good security practices within teams. I have some thoughts as well,
though it probably warrants a separate thread at a later date when I
have more time to assemble words on the subject.
Yeah agreed. Maybe in the next Forum because we need to have a discussion with the operators for this I think.
Sylvain